Re: AVCs on bringing up a network device via hotplug.

Aleksey Nogin <aleksey@xxxxxxxxx> · Thu, 11 Mar 2004 08:33:37 -0800

On 11.03.2004 08:20, Bill Nottingham wrote:

Perhaps we need a network-init role, used by /etc/init.d/network,
that hotplug (and others) can transition to?

Yes, this seems like a good idea. "and others" should probably include 
at least APM/ACPI (for suspend/resume scripts).

But also note that part of the AVCs comes from the following fragment of 
/sbin/ifup:

...

# Remove any temporary references which were previously added to 
dhclient config

if [ -w /etc/dhclient-${DEVICE}.conf ] && [ -x /sbin/dhclient ] ; then

   LC_ALL=C grep -v "# temporary RHL ifup addition" 
/etc/dhclient-${DEVICE}.conf > /etc/dhclient-${DEVICE}.conf.ifupnew 2> 
/dev/null

   cat /etc/dhclient-${DEVICE}.conf.ifupnew > /etc/dhclient-${DEVICE}.conf

   rm -f /etc/dhclient-${DEVICE}.conf.ifupnew

fi

if [ -n "${DYNCONFIG}" ]; then

    PUMPARGS=$PUMPARGS

    DHCPCDARGS="$DHCPCDARGS -n"

    DHCLIENTARGS="${DHCLIENTARGS} -1 -q -lf 
/var/lib/dhcp/dhclient-${DEVICE}.leases -pf 
/var/run/dhclient-${DEVICE}.pid -cf /etc/dhclient-${DEVICE}.conf"

    if [ -n "${DHCP_HOSTNAME}" ]; then

       # Send a host-name to the DHCP server (requ. by some dhcp servers).

       PUMPARGS="${PUMPARGS} -h ${DHCP_HOSTNAME}"

       DHCPCDARGS="${DHCPCDARGS} -h ${DHCP_HOSTNAME}"

       if [ -x /sbin/dhclient ] ; then

          if [ -w /etc/dhclient-${DEVICE}.conf ] ; then

             if ! LC_ALL=C grep "send *host-name *\"${DHCP_HOSTNAME}\"" 
/etc/dhclient-${DEVICE}.conf > /dev/null 2>&1 ; then

                echo "send host-name \"${DHCP_HOSTNAME}\";  # temporary 
RHL ifup addition" >> /etc/dhclient-${DEVICE}.conf

             fi

          elif ! [ -e /etc/dhclient-${DEVICE}.conf ] ; then

             echo "send host-name \"${DHCP_HOSTNAME}\";  # temporary 
RHL ifup addition" >> /etc/dhclient-${DEVICE}.conf

          fi

       fi

    fi

...

It seems that the least it could do is to check whether a "temporary RHL 
ifup addition" line is in fact present in the config _before_ trying to 
mess with it. And in general, allowing the ifup script to mess with the 
DHCP config does not seem like such a good idea.

--
Aleksey Nogin

Home Page: http://nogin.org/
E-Mail: nogin@xxxxxxxxxxxxxx (office), aleksey@xxxxxxxxx (personal)
Office: Jorgensen 70, tel: (626) 395-2907